Career Spotlight: What I Do as an « Ethical Hacker »
Career Spotlight: What I Do as an « Ethical Hacker »
You occasionally hear about major security vulnerabilities being discovered before they’re exploited, like the notorious Heartbleed bug last year. Security researchers work hard to weed out those dangerous flaws before they’re found by hackers of more malicious intent. This breed of preemptive hacking is sometimes referred to as white hat, or simply “ethical hacking.”
These hackers work with businesses to probe their networks for security holes, vulnerabilities to social engineering, and more, while considering the mindset of someone who might have criminal motivations. To learn about what such work is like we spoke with Ben Miller, an ethical hacker at Parameter Security.
First of all, tell us a little about your current position and how long you’ve been at it.
I’m an “ethical hacker” at Parameter Security, which means companies basically hire me to try to break into their computer networks in order to figure out how a real criminal would do it. People in this profession use all sorts of tricks to sneak in—you can hack your way in, con employees over the phone or email, use impersonation to walk in, it really doesn’t matter. I’ve never come across a business that couldn’t be compromised. I’ve broken into a wide range of companies and organizations, from banks to hospitals, Fortune 500s, manufacturers, city utilities, government agencies, you name it.
I’ve been hacking full-time for the last five years and it’s really one of the most interesting and challenging jobs anyone can have. It’s also incredibly rewarding, because I know I’m helping to protect companies and institutions from malicious hackers who would otherwise have nothing to stop them from breaking in.
What drove you to choose your career path?
I knew from a young age that I was interested in computers. I grew up on a farm in northeast Missouri, and while I learned early on the value of hard work, persistence, and making your own goals, I also realized as a kid that I had no desire to come home dirty and bloody from farm work every day. Luckily, my insightful father bought a family computer when I was in grade school. It was an IBM-Comptible 286 processor system. I learned neat tricks on Windows 3.1 and MSDOS like “DELTREE” which deleted an entire file structure and how to change colors on the background. I enjoyed teaching the non-damaging tricks at my junior high school and soon I was accepted into a school program to help teachers with their computer problems.
However, it wasn’t until I saw the movie Sneakers that I realized just how much potential there was for my interest in computers. Seriously, that movie had a big impact on me—and I bet others in this field, who were around at the same time, probably felt this way too. That was really my first glimpse into the world of ethical hacking, and I was drawn to it right away. Seeing Robert Redford use social engineering to pull off these incredible feats, and the way “Whistler” never got rattled by obstacles, but instead just used technology and logic to overcome them, that made a big impression on me. I had always been drawn to technology, but seeing the potential of it, maybe also the “coolness” factor too, and how it could be used to do good in the world, that really excited me.
All sorts of people are drawn to ethical hacking, with all types of backgrounds and motivations, but I think in the end most of these people are just drawn to technology early on, and it’s the challenge and creative thinking of figuring out a way to bypass a software control or make a program do something entirely new that constantly pushes them to go further and further with it—until it becomes a career.
How did you go about getting your job? What kind of education and experience did you need?
Ethical hacking isn’t a regular kind of job. You don’t have to have a college diploma or a certification to do it. All you need is a good knowledge of computers, software and programming languages, creativity, and drive.
In my case, I went to college in 1999 and graduated with a degree in computer systems and networking. Unfortunately, the dotcom bubble burst right after I graduated, so I had a hard time finding a good job in this field. I ended up going back to college to study religion, and it wasn’t until 2006 that one of my friends told me about an opening at the county hospital for a network administrator. While I worked there, I spent a lot of time focused on making sure the hospital’s network was HIPAA compliant, so that it wasn’t exposing patient data or vulnerable to hackers who would try to steal it. I knew that if I was going to keep criminals out of the hospital, I’d have to learn their tricks and how they operated, so I took a “Certified Ethical Hacker” course that was being offered by a local company. This course, which was taught by my future boss, focused on the mindset and techniques of the criminal hacker—it basically taught you how to think like a criminal hacker. After the second day, I knew this is what I wanted to do full time and my ethical hacking instructor (Dave Chronister) hired me a year later, once I had proven myself in the field.
Did you need any licenses or certifications?
You don’t have to have any certifications to be an ethical hacker, but it’s always a good idea to get them, as it proves your knowledge and experience in key areas. There are dozens of certifications out there, and whether or not they are worthwhile to your career depends heavily on what types of businesses you want to work for. Do research on a certification or class before you spend your money! However, if you do forensic investigations for clients, most states require a private investigator license.
Problem solving, persistence, and good communication skills are all key traits to have for this job.
What kinds of things do you do beyond what most people see? What do you actually spend the majority of your time doing?
I get to see deep inside critical networks (think banks, hospitals, utilities, major companies), and see just how vulnerable they really are if the right attacker happened to target them. It’s sort of like seeing how the sausage is made, because you see how these really important systems are often running on older software and hardware, or they have vulnerable programs that are still unpatched, or they’re connected to things they shouldn’t be, or default passwords are left in place. The whole network, which might be protecting your money or personal records or helping to keep the lights on and the water running, is a patchwork of problematic systems that aren’t as hard to exploit as we’d like to think.
I also see attacks or hear about attacks on Twitter long before they hit the news.
Much of my time is spent probing or scanning networks, looking for vulnerabilities, etc., but just as much time is spent communicating with the client and documenting what I’ve done in a written report. I tell hacker students and new employees, “You will write more reports as a hacker than you ever did at school!” The deliverable report is the one piece of the engagement that a client will keep and be able to mull over long after the ‘warm fuzzies’ from your personal care have faded. It needs to be just as good.
But clients get to see pretty much everything we do—it’s a very open process so that they can learn and see their network from our perspective as well. The only thing they miss is the look on my face at 2am when I finally pull off an exploit while watching How It’s Made reruns.
What misconceptions do people often have about your job?
Probably the biggest thing is that people think the term “hacker” always means a criminal or [someone] malicious. A hacker is basically someone who likes to tinker with tools and software, figure out ways to solve problems or open up new possibilities for using technology. The ones who do it to steal money or hurt people are just criminals. We shouldn’t have to call ourselves “ethical” hackers—we should instead emphasize that the bad guys are “criminal hackers.”
People also see the attacks we simulate and feel that we are performing magic. Hackers understand the important truth that computers only do what they are told, and many times the actions users take are not in their best interests. Whether they run improperly coded software, or if they click on an email promising them something, users (including IT personnel!) are often unaware of the scary things they end up doing.
Another misconception is that “all penetration tests are the same.” Unfortunately, in an industry as young and steeped in mystery as information security, there is a huge lack of knowledge about what a penetration test (i.e., an ethical hacking test of a company) should include. Efforts such as Pentest-Standard.org are trying to at least teach business and IT persons about what to expect out of a good penetration test from a knowledgeable company.
What are your average work hours?
It really depends on what you’re doing. If you’ve been hired to do a penetration test of a company, then you’re likely to work 8 to 10 hours per day, and jobs can run between
2 and 10 weeks. However, if you’re tooling around with a piece of software, looking for vulnerabilities, then it’s really up to you. I’ve never had a time when I’ve been sitting at a desk going, “When can I go home?” Much more common is my wife reminding me that sleep is a good thing, and I’ll probably be able to pull off whatever I am doing after I’ve had at least a nap.
However, if you’ve been called in to help a company recover from a breach (what we refer to as “incident response”), then all bets are off. That’s when you’re in crisis mode and you can easily pull a few all-nighters trying to stop the attack from progressing, control the damage, and figure out how to get the company back on track.
What personal tips and shortcuts have made your job easier?
Always be listening and reading. You may know a fabulous way to do something, but someone else may know another route that is quicker or easier. Document what you are doing and why and when so that when something goes wrong you can figure out what happened. Banging your head against a wall you should have gone around way earlier is a HUGE time waster.
Also, as my boss is fond of saying, and I’ve learned as well: “No client has ever been mad because you talked to them too much.” In nearly five years, I’ve only had one client say I didn’t need to call or email every day of the week while I was working on their network. People love to know what’s going on, even if what’s going on is, “we’re combing through tool output looking for things to break.”
What do you do differently from your coworkers or peers in the same profession? What do they do instead?
Unfortunately, there are many companies in this field that think ethical hacking is basically just scanning for vulnerabilities on a network. The problem with that type of thinking is that it doesn’t really show the client the full picture. Okay, I know this program and this program are vulnerable, but what does that actually mean? What could an attacker do with this vulnerability? How far could they go?
At our company, we’re extremely goal oriented. We see an ethical hacking test in terms of the real-world consequences for that institution, i.e., what would an attacker want to do (steal your data, perform illegal wire transfers, interfere with computer-based machinery, etc.) and how could they go about doing it? When we find vulnerabilities in a network, we look at the practical consequences of them, and you have to be creative to see the full potential of a security flaw and to put all the pieces together to figure out how a criminal would pull off a data or financial heist.
What’s the worst part of the job and how do you deal with it?
The worst part of this job is when you get clients who don’t really want to know how vulnerable they are. Sometimes it’s because they’re indifferent (many companies still think it’s cheaper to just fix the problem after the company’s been breached then to spend the money ahead of time on better security), but more often than not it’s fear-based. Sort of like when your car starts making a funny noise, but you don’t want to take it to the auto shop because you’re afraid of how much it will cost. Although cost isn’t the only thing they’re worried about—in many cases, you’re dealing with a senior level IT executive who is worried about his or her career; if the report shows too many problems, it makes him or her look bad.
The only way to deal with this aspect of the job is to stick to your guns—do your best, don’t hold back on the penetration testing, and report as clearly as you can exactly where the company is vulnerable and what that could mean. In the end, it’s up to the client to take the right steps to protect itself and its customers, you just have to hope they will.
What’s the most enjoyable part of the job?
This may be the hardest question to answer. To be honest, there is a thrill in knowing that what I do would be illegal except for a legal document that says I’m allowed to do it without getting in trouble. One of my favorite compliments from my former place of work was, “You think like a criminal!” (They didn’t mean it as a compliment.)
I work with amazing people, doing fun, hard work. We learn together and laugh a lot! When my wife and I had our third son, they bought baby supplies and superhero onesies.
I make a difference in the security mindset of businesses and, ultimately, in the lives of thousands of people, which is quite rewarding as well. The pay is also far better than I thought it would be, back when I watched Sneakers.
Do you have any advice for people who need to enlist your services?
Yes—don’t expect me to be a superhero. Often, clients think that when they hire you, you’re going to clean up everything, fix all their problems and make them 100% secure. There is no such thing as 100% secure. That’s not at all how it works. Clients have to be realistic—the goal with this type of work is to figure out what assets your company has that are most critical and what risks they can accept. You can’t prevent every attack from succeeding—no matter how good your security is, eventually someone will always get through. Therefore, ethical hackers are not only helping you prevent an attack, but also figuring out what steps you need to take to limit the damage when a successful attack happens.
You can’t protect what you don’t know exists. Therefore, the best documents to have on hand before hiring an ethical hacker to do a penetration test are a full inventory of systems, people, information, and a risk assessment document that has looked at overall business risks.
The penetration test has the goal of then finding a weakness, exploiting it, showing how a critical, unacceptable risk could be realized (such as sensitive information being taken off of your network and securely placed on the tester’s secure network), which is something you can then work to remediate.
The hard work for the client comes AFTER the test, learning how to do business in a less risky way.
What kind of money can one expect to make at your job?
I’m not one to talk money, but I really believe if you work hard, hone your skills (including soft skills like negotiation!), you can make as much money as you want to make in this field. If you want to make a lot of money straight out of school or fresh from getting a certification, you are going to be working for a company that owns you, forces you to travel a lot, and considers sleep a luxury. If you want to have some life/work balance, you are going to need some years of experience both in “regular” IT and security to start making the big bucks.
Also, location matters a lot, I’m in a good area for cost of living, and that helps.
How do you move up in your field?
This is fairly subjective. Some people become specialists in key areas, like software security (mobile and web apps), industrial control systems (utilities, manufacturing plants, etc.), social engineering (i.e., hacking people), etc. Others learn management skills and end up running teams of hackers.
In both cases, you have to focus on improving your knowledge and gaining as much field experience as possible. Certifications are good, but nothing beats performing these tests, or managing teams, in the field.
Another way to stand out is by conducting original research into security issues and presenting those at one of the many industry conferences that are held every year. It’s also a career booster if you can run a training camp at one of these conferences that teaches key skills.
What do your customers or clients under/over value?
Clients usually undervalue their own part in the process of security. They tend to believe that hiring a super hacker is all they need to keep the boogeymen away. They also tend to undervalue the worth of their assets. I’ve actually heard banks say, “we’re too small to be hacked.” The same is true with hospitals, global companies, etc. They all have a reason to say “it won’t happen to us!” until it actually does.
Companies also make the mistake of comparing themselves with their peers. This question often comes up in board rooms: “How do we compare to other businesses like ours?” No one wants to spend more money on security than their peers, as they feel they’re wasting their money if they do.
However, what is often overvalued by clients is compliance standards. Whether it’s PCI standards for retailers, or HIPAA in the healthcare industry, or anything else, simply meeting compliance standards doesn’t mean you’re actually secure. Compliance standards are just a baseline measurement of what an organization absolutely must do to not be fined or have corporate officers go to jail—companies have to go well beyond them to be truly secure.
What advice would you give to those aspiring to join your profession?
DO IT! We need more people who enjoy the puzzles, breaking things, fixing things, and the communication with people and the awesome experiences.
Love learning! If you cringe at the thought of having to rapidly learn a new skill, operating system, program syntax, or attack technique, you are quickly going to be fed up with the consultant/boutique-style work I do. However, there is hope! Take what you do love, figure out better ways to secure it in a business-feasible way, and work for the “blue teams” (i.e., the defense-focused teams) out there that desperately need more security-minded people as well.
This interview has been edited for clarity.